Block Spoofed Spam from popular domains


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

  • How can I block spoofed spam messages from well known domains?

Information:

Spammers are known to spoof messages using popular domains that most companies trust, such as microsoft.com, linkedin.com, or yahoo.com. 

If you find that spam that spam appearing to be from these domains is being delivered to users, first ensure that you have not entered these domains (or specific addresses) on an allow list. Allowing entire domains is one of the main issues that reduces the effectiveness of spam filtering.

Also review your use of the various anti-spam technologies in MailMarshal, such as SpamProfiler, SpamCensor, and Blended Threat Service.

As another line of defense, you can filter these messages based on Reverse DNS (PTR record) information.

MailMarshal SMTP can mark or refuse email from an external server if it does not have a published PTR record. Because email servers of well-known domains usually have correctly published Reverse DNS information, you can use Host Validation to help guarantee the genuineness of a remote site or sending server.

To use Reverse DNS checking for a limited number of domains:

  1. In the MailMarshal (SEG) 10 Management Interface or MailMarshal Configurator, navigate to the Host Validation item (in SEG Properties>Receiver). Enable Validate connecting hosts in the DNS and select Accept unknown hosts.

    This will allow the message through to the MailMarshal engine, but when no PTR record is found, the receiver writes the words "Not Verified" in the received: line of the header. It's possible to take advantage of this fact with an Engine rule.

    The received line will look something like the following:

    Received: from microsoft.com (not verified[1.2.3.4]) by msatlexchange.us.atlanta.marshalsoftware.com with MailMarshal (6,8,4,0) id <BA000168c7>; Mon, 21 Feb 2011 00:53:15 -1300 

  2. Create a TextCensor script called NotVerified Check which triggers on the following entry (substitute the name of your server as required): 

    received FOLLOWEDBY=10 not verified FOLLOWEDBY=10 your_server_name

    Choose to apply this TextCensor script to the Message Header.

  3. Create a user group called Check PTR Records which is to contain all the well-known/popular domains to be checked for valid PTR records. You should enter these in a wildcard format (for instance, *@microsoft.com )

  4. Create a Standard Rule like the following:

    When a message arrives
    Where addressed from 'Check PTR Records'
    Where message triggers text censor script(s) 'NotVerified Check'
    Move the message to 'Bad Pointer Lookup'

    The above rule will move a message to the 'Bad Pointer Lookup' quarantine folder if:
    • The originating server has no Reverse DNS entry, AND
    • The message is from a domain in your 'Check PTR Records' user group.

Notes:

  • You should only populate the Check PTR Records group with names of domains that you have verified do actually publish Reverse DNS information, such as *@hotmail.com, *@microsoft.com, *@gmail.com, *@linkedin.com .
    • Trustwave recommends you check each domain you plan to add.
    • Unfortunately, many legitimate email servers do not have correct PTR records.
  • If the spam message genuinely originates from one of the well known domains (for instance if a webmail account or user profile at the site has been compromised), the message might not be blocked by this method.
  • It is possible to check whether the PTR record returned matches the host. However, this check might result in large numbers of false positives. Reputable large email providers are known to have non-matching PTR records because of the very large number of sending hosts they use. 

Last Modified 2/8/2021.
https://support.trustwave.com/kb/KnowledgebaseArticle14117.aspx